Cyber security standards
||This article may be too technical for most readers to understand. (March 2014)|
Cybersecurity standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cybersecurity attacks. These guides provide general outlines as well as specific techniques for implementing cybersecurity. For certain standards, cybersecurity certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cybersecurity insurance.
(The choice between writing cybersecurity as two words (cyber security) or one (cybersecurity) depends on the institution, and there have been discrepancies on older documents. However, since the U.S. Federal Executive Order (EO) 13636 on the subject was spelled “Improving Critical Infrastructure Cybersecurity”, most forums and media have embraced spelling "cybersecurity" as a single word.)
Cybersecurity standards have been created recently because sensitive information is now frequently stored on computers that are attached to the Internet. Also many tasks that were once carried out by hand are carried out by computer; therefore there is a need for information assurance (IA) and security.
ISO 27001 and 27002
ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements.
ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control.
ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS7799 is BS7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years.
ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO 27002 control objectives. Without ISO 27001, ISO 27002 control objectives are ineffective. ISO 27002 controls objectives are incorporated into ISO 27001 in Annex A.
ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.
Standard of Good Practice
In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF continues to update the SoGP every two years; the latest version was published in 2013.
Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available for sale to the general public.
Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP. Furthermore, it is important for those in charge of security management to understand and adhere to NERC CIP compliance requirements.
The North American Electric Reliability Corporation (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.
- Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. 
- Special publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. 
- Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments. 
- Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
- Special publication 800-53 rev3, "Guide for Assessing the Security Controls in Federal Information Systems", updated in August 2009, specifically addresses the 194 security controls that are applied to a system to make it "more secure".
This standard develops what is called the “Common Criteria”. It allows many different software applications to be integrated and tested in a secure way.
RFC (Request For Comments) 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. The RFC 2196 provides a general and broad overview of information security including network security, incident response, or security policies. The document is very practical and focusing on day-to-day operations.
ISA/IEC-62443 (formerly ISA-99)
ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.
All ISA work products are now numbered using the convention “ISA-62443-x-y” and previous ISA99 nomenclature is maintained for continuity purposes only. Corresponding IEC documents are referenced as “IEC 62443-x-y”. The approved IEC and ISA versions are generally identical for all functional purposes.
ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject. These work products are then submitted to the ISA approval and publishing under ANSI. They are also submitted to IEC for review and approval as standards and specifications in the IEC 62443 series.
All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System, and Component.
- The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS.
- The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
- The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
- The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.
The planned and published ISA-62443 documents are as follows:
- Group 1: General
- ISA-62443-1-1 (IEC/TS 62443-1-1) (formerly referred to as "ISA-99 Part 1") was originally published as ISA standard ANSI/ISA-99.00.01-2007, as well as an IEC technical specification IEC/TS 62443-1-1. The ISA99 committee is currently revising it to make it align with other documents in the series, and to clarify normative content.
- ISA-TR62443-1-2 (IEC 62443-1-2) is a master glossary of terms used by the ISA99 committee. This document is a working draft, but the content is available on the ISA99 committee Wiki.
- ISA-62443-1-3 (IEC 62443-1-3) identifies a set of compliance metrics for IACS security. This document is currently under development and the committee will be releasing a draft for comment in 2013.
- ISA-62443-1-4 (IEC/TS 62443-1-4) defines the IACS security life cycle and use case. This work product has been proposed as part of the series, but as of January 2013 development had not yet started.
- Group 2: Policy and Procedure
- ISA-62443-2-1 (IEC 62443-2-1) (formerly referred to as "ANSI/ISA 99.02.01-2009 or ISA-99 Part 2") addresses how to establish an IACS security program. This standard is approved and published the IEC as IEC 62443-2-1. It now being revised to permit closer alignment with the ISO 27000 series of standards.
- ISA-62443-2-2 (IEC 62443-2-2) addresses how to operate an IACS security program. This standard is currently under development.
- ISA-TR62443-2-3 (IEC/TR 62443-2-3) is a technical report on the subject of patch management in IACS environments. This report is currently under development.
- ISA-62443-2-4 (IEC 62443-2-4) focuses on the certification of IACS supplier security policies and practices. This document was adopted from the WIB organization and is now a working product of the IEC TC65/WG10 committee. The proposed ISA version will be a U.S. national publication of the IEC standard.
- Group 3: System Integrator
- ISA-TR62443-3-1 (IEC/TR 62443-3-1) is a technical report on the subject of suitable technologies for IACS security. This report is approved and published as ANSI/ISA-TR99.00.01-2007 and is now being revised.
- ISA-62443-3-2 (IEC 62443-3-2) addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
- ISA-62443-3-3 (IEC 62443-3-3) defines detailed technical requirements for IACS security. This standard has been published as ANSI/ISA-62443-3-3 (99.03.03)-2013. It was previously numbered as ISA-99.03.03.
- Group 4: Component Provider
- ISA-62443-4-1 (IEC 62443-4-1) addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
- ISA-62443-4-2 (IEC 62443-4-2) series address detailed technical requirements for IACS components level. This standard is currently under development.
More information about the activities and plans of the ISA99 committee is available on the ISA99 committee Wiki site. For more information on the activities of the IEC TC65/WG10 committee see the IEC TC65 site.
ISA Security Compliance Institute
Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil and gas, chemical, electric utility, manufacturing, food and beverage, and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations, or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.
IASME is a UK-based standard for information assurance at small-to-medium enterprises (SMEs). It provides criteria and certification for small-to-medium business cyber security readiness. It also allows small to medium business to provide potential and existing customers and clients with an accredited measurement of the cyber security posture of the enterprise and its protection of personal/business data.
IASME was established to enable businesses with capitalization of 1.2 billion pounds or less (1.5 billion Euros; 2 billion US dollars) to achieve an accreditation similar to ISO 27001 but with reduced complexity, cost, and administrative overhead (specifically focused on SME in recognition that it is difficult for small cap businesses to achieve and maintain ISO 27001).
The cost of the certification is progressively graduated based upon the employee population of the SME (e.g., 10 & fewer, 11 to 25, 26 - 100, 101 - 250 employees); the certification can be based upon a self-assessment with an IASME questionnaire or by a third-party professional assessor. Some insurance companies reduce premiums for cyber security related coverage based upon the IASME certification.
- 201 CMR 17.00 (Massachusetts Standards for the Protection of Personal Information)
- BS 7799
- Common Criteria
- Computer security
- Computer Security Policy
- Information security
- Information assurance
- ISO/IEC 27002
- IT Baseline Protection Catalogs
- North American Electric Reliability Corporation (NERC)
- National Institute of Standards and Technology (NIST)
- Payment Card Industry Data Security Standard
- Standard of Good Practice
- Semantic service-oriented architecture (SSOA)
- ISA-99 Security for Industrial Automation and Control Systems
- Control system security
- Information security indicators
- ^ Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
- ^ Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800-14). (September 1996)
- ^ National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
- ^ Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800-26).
- ^ The North American Electric Reliability Council (NERC). http://www.nerc.com. Retrieved November 12, 2005.
||This article may contain promotional material and other spam. (August 2010)|
- ISA99 info
- isasecure.org site
- ISO webpage
- NERC Standards (see CIP 002-009)
- NIST webpage
- Securing Cyberspace-Media
- Presentation by Professor William Sanders, University of Illinois
- Carnegie Mellon University Portal for Cybersecurity
- Critical Infrastructure Protection
- Global Cybersecurity Policy Conference